A perceived lack of communication is the primary reason for patient dissatisfaction, not a doctor’s qualifications, expertise or the diagnosis given. A study of 35,000 physician reviews posted online shows that 96 percent of complaints could be linked to poor communications or poor customer service by physicians or office staff.
We’ve all experienced the frustration often associated with contacting a physician: the phone tree of choices, the wait to speak to someone, the inevitable leaving of a message and hoping for a return phone call in a day (or two). So, it’s no wonder that younger patients, especially, are embracing newer forms of communication such as text and social media messaging.
Physicians, practices and health systems, however, must tread carefully when communicating via text with patients. HIPAA prohibitions regarding the sharing of protected health information (PHI) apply, and compliance isn’t as simple as deleting communications from a phone.
Secure texting can be useful in many contexts, including communications between providers, between provider and patient and for educational purposes to help patients understand and manage their conditions. But successful adoption of any secure communications platform requires using a platform that’s HIPAA compliant, meets security and data storage standards, conforms to the workflows of practices and physicians, and obtains informed consent from the patients.
Questions over HIPAA data sharing
Healthcare organizations still struggle with implementation and compliance of the Healthcare Insurance Portability and Accountability Act (HIPAA), even after nearly 25 years of its adoption.
Organizations that don’t protect data diligently are subject to hefty fines from the Office of Civil Rights (OCR), which is part of the U.S. Department of Health and Human Services (HHS) charged with monitoring healthcare data protection. But as the tenets of value-based care take hold, healthcare organizations are complaining that data privacy and security rules are hurting their ability to share data with other providers who are jointly responsible for a patient’s care episode.
Last fall, the Centers for Medicare & Medicaid Services (CMS) put out a request for information looking for ways to reduce potential HIPAA burdens that limit care coordination and case management among healthcare providers. The wide range of responses among healthcare organizations highlights the differences of opinion on this issue.
In written comments, the American Health Information Management Association (AHIMA) and the American Medical Informatics Association (AMIA) sought clarification on access rights and ways to reduce barriers to healthcare data sharing.
AHIMA seeks a uniform health data set by merging HIPAA requirements and health IT certifications to include all clinical, biomedical and claims data held by covered entities and business associates. AMIA advocates for the timely sharing of data among patients and providers, noting a significant burden on timely access and the use of HIPAA to restrict data sharing, especially mental health data.
While the American Medical Association (AMA) generally supports care coordination efforts, it believes that patient privacy and confidentiality should remain central tenets of any proposed information sharing. The group reiterates the rights of patients to control their own data, noting that current regulations don’t prohibit data sharing for care coordination. Rather, certain healthcare entities restrict data sharing because they don’t understand the law.
HIPAA supports secure texting
When used in accordance with HIPAA regulations, texting can be an acceptable method of communication between patients and providers or among providers. But the same data security rules that apply to electronic medical record (EMR) systems and secure email also apply to texting.
Those rules include restricting access to authorized users, creating a unique identifier for each user, keeping messages in accordance with data retention policies, and using an audit trail to monitor disclosure. Additionally, if a patient agrees to the method of transportation the data should not need to be encrypted all the way to delivery. No different than a phone call which can be overheard or intercepted.
Caregivers cannot just pick up their personal smartphones and communicate with patients without a secure texting solution. Security and privacy safeguards must be in place to ensure the communication is encrypted, meets HIPAA compliance standards, is retained as part of the medical record, and has been consented to by the patient. The patient is not under such constraints. The patient, so long as they are informed properly, may choose to consent to access their data in any way which is convenient for them.
Continued confusion over the two decade-old law has not stopped federal authorities from taking strong enforcement action. In 2018, HHS set a record for HIPAA fines, collecting $28.7 million from providers, insurers and business associates during the year. The year’s second-highest settlement involved unencrypted devices at Houston’s MD Anderson Cancer Center, which cost the provider $4.3 million.
Ubiquitous smartphones promote texting culture
Younger generations have grown up with smartphones, treating them as extensions of themselves. Cell phone ownership in general is 95 percent, with smartphone ownership at 75 percent. However, smartphone ownership among Americans ages 18-49 tops 90 percent, dropping among older Americans.
Simple (SMS) text messages are opened 99 percent of the time, with nearly all getting opened within three minutes. So, it’s not surprising that younger patients are pushing practices to communicate in ways that patients prefer.
Although smartphones obviously have calling capabilities, many users prefer texts and social media to phone calls. They also are seeking more immediacy in their communications. The days of a physician calling patients back at the end of the day or the next day will soon pass into history, replaced by near-real time communication. But any communication between providers and patients must be conducted in a HIPAA-compliant manner if PHI is exchanged.
Emerging, secure communications platforms that include push notifications can help patients better understand and manage their diagnoses while retaining patient loyalty, both important considerations as value-based and collaborative care models transform healthcare delivery.
One study showed that patients recall only 40 percent of the information they receive in a medical setting. Even more unsettling is the fact that nearly half of what patients recall turned out to be erroneous. Push notifications, delivered in a compliant manner, can help with understanding.
Another study showed that only 27 percent of patients fully comply with their treatment regimens and that 40 percent believed they could do better if they received timely reminders and advice from their providers.
How to leverage secure texting
When exploring a secure communications platform that includes texting and social media, there’s more to consider than the technology. Practices may need to rethink workflows and job duties to fully leverage the communications platform.
As with any communications, care must be taken to ensure that patient identity and related information is correct before it is used. Staff education is critical, and policies should be in place so everyone understands both proper and improper uses of electronic communications. Patients must be properly informed about what and how electronic communications will be used, and patients should be able to easily opt in and opt out of communications.
Any technology should be as easy as possible for patients to use. Many practices have patient portals, but how many patients actually remember their passwords and can access health information or email their physicians without difficulty? Ideally, a practice’s system will be seamless to patients, with no apps or special logins required.
Practice managers and technologists should ensure that any secure communications platform includes an audit trail to monitor who sent what and when, with information encrypted while at rest and in transit. All correspondence should be collected as part of a patient’s health record, with the proper document retention policies enforced. The system should interface with the practice management system or EMR, and any vendor should be able to clearly outline the security and privacy protocols that have been baked into the software.
In the United States alone, 18 billion texts are sent every day, 32 for every person. Most texts are sent through Facebook Messenger, WhatsApp, message services for iPhone or Android and others, underlining the importance of messaging in everyday life.
Medical practices must embrace texting as a way to communicate with increasingly tech-savvy patients using the methods they prefer. However, HIPAA regulations require all communications that exchange protected health information be encrypted and flow to a patient’s health record, so this means the providers must not use their personal SMS as a means of communicating with the patient. The patient may choose to use SMS directly with their smartphone but must be informed and give consent.
A unified and secure communications platform can help providers stay compliant while enabling patients to exchange medical information through text or social media messaging, giving a level of caring and intimacy that other forms of communication can’t touch.
Photo: shapecharge, Getty Images